コード例 #1
0
  private List<HivePrivilegeObject> filterShowTables(
      List<HivePrivilegeObject> listObjs, String userName, HiveAuthzBinding hiveAuthzBinding) {
    List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
    Subject subject = new Subject(userName);
    HiveAuthzPrivileges tableMetaDataPrivilege =
        new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
            .addInputObjectPriviledge(
                AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT))
            .setOperationScope(HiveOperationScope.TABLE)
            .setOperationType(
                org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.INFO)
            .build();

    for (HivePrivilegeObject obj : listObjs) {
      // if user has privileges on table, add to filtered list, else discard
      Table table = new Table(obj.getObjectName());
      Database database;
      database = new Database(obj.getDbname());

      List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
      List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
      List<DBModelAuthorizable> externalAuthorizableHierarchy =
          new ArrayList<DBModelAuthorizable>();
      externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
      externalAuthorizableHierarchy.add(database);
      externalAuthorizableHierarchy.add(table);
      externalAuthorizableHierarchy.add(Column.ALL);
      inputHierarchy.add(externalAuthorizableHierarchy);

      try {
        hiveAuthzBinding.authorize(
            HiveOperation.SHOWTABLES,
            tableMetaDataPrivilege,
            subject,
            inputHierarchy,
            outputHierarchy);
        filteredResult.add(obj);
      } catch (AuthorizationException e) {
        // squash the exception, user doesn't have privileges, so the table is
        // not added to
        // filtered list.
      }
    }
    return filteredResult;
  }
コード例 #2
0
  private List<HivePrivilegeObject> filterShowDatabases(
      List<HivePrivilegeObject> listObjs, String userName, HiveAuthzBinding hiveAuthzBinding) {
    List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
    Subject subject = new Subject(userName);
    HiveAuthzPrivileges anyPrivilege =
        new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
            .addInputObjectPriviledge(
                AuthorizableType.Column,
                EnumSet.of(
                    DBModelAction.SELECT,
                    DBModelAction.INSERT,
                    DBModelAction.ALTER,
                    DBModelAction.CREATE,
                    DBModelAction.DROP,
                    DBModelAction.INDEX,
                    DBModelAction.LOCK))
            .setOperationScope(HiveOperationScope.CONNECT)
            .setOperationType(
                org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.QUERY)
            .build();

    for (HivePrivilegeObject obj : listObjs) {
      // if user has privileges on database, add to filtered list, else discard
      Database database = null;

      // if default is not restricted, continue
      if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(obj.getObjectName())
          && "false"
              .equalsIgnoreCase(
                  hiveAuthzBinding
                      .getAuthzConf()
                      .get(
                          HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(),
                          "false"))) {
        filteredResult.add(obj);
        continue;
      }

      database = new Database(obj.getObjectName());

      List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
      List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
      List<DBModelAuthorizable> externalAuthorizableHierarchy =
          new ArrayList<DBModelAuthorizable>();
      externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
      externalAuthorizableHierarchy.add(database);
      externalAuthorizableHierarchy.add(Table.ALL);
      externalAuthorizableHierarchy.add(Column.ALL);
      inputHierarchy.add(externalAuthorizableHierarchy);

      try {
        hiveAuthzBinding.authorize(
            HiveOperation.SHOWDATABASES, anyPrivilege, subject, inputHierarchy, outputHierarchy);
        filteredResult.add(obj);
      } catch (AuthorizationException e) {
        // squash the exception, user doesn't have privileges, so the table is
        // not added to
        // filtered list.
      }
    }
    return filteredResult;
  }
コード例 #3
0
  /**
   * Check if current user has privileges to perform given operation type hiveOpType on the given
   * input and output objects
   *
   * @param hiveOpType
   * @param inputHObjs
   * @param outputHObjs
   * @param context
   * @throws SentryAccessControlException
   */
  @Override
  public void checkPrivileges(
      HiveOperationType hiveOpType,
      List<HivePrivilegeObject> inputHObjs,
      List<HivePrivilegeObject> outputHObjs,
      HiveAuthzContext context)
      throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
      String msg =
          "Checking privileges for operation "
              + hiveOpType
              + " by user "
              + authenticator.getUserName()
              + " on "
              + " input objects "
              + inputHObjs
              + " and output objects "
              + outputHObjs
              + ". Context Info: "
              + context;
      LOG.debug(msg);
    }

    HiveOperation hiveOp = SentryAuthorizerUtil.convert2HiveOperation(hiveOpType.name());
    HiveAuthzPrivileges stmtAuthPrivileges = null;
    if (HiveOperation.DESCTABLE.equals(hiveOp)
        && !(context.getCommandString().contains("EXTENDED")
            || context.getCommandString().contains("FORMATTED"))) {
      stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS);
    } else {
      stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(hiveOp);
    }

    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      hiveAuthzBinding = getAuthzBinding();
      if (stmtAuthPrivileges == null) {
        // We don't handle authorizing this statement
        return;
      }

      List<List<DBModelAuthorizable>> inputHierarchyList =
          SentryAuthorizerUtil.convert2SentryPrivilegeList(
              hiveAuthzBinding.getAuthServer(), inputHObjs);
      List<List<DBModelAuthorizable>> outputHierarchyList =
          SentryAuthorizerUtil.convert2SentryPrivilegeList(
              hiveAuthzBinding.getAuthServer(), outputHObjs);

      // Workaround for metadata queries
      addExtendHierarchy(
          hiveOp,
          stmtAuthPrivileges,
          inputHierarchyList,
          outputHierarchyList,
          context.getCommandString(),
          hiveAuthzBinding);

      hiveAuthzBinding.authorize(
          hiveOp,
          stmtAuthPrivileges,
          new Subject(authenticator.getUserName()),
          inputHierarchyList,
          outputHierarchyList);
    } catch (AuthorizationException e) {
      Database db = null;
      Table tab = null;
      AccessURI udfURI = null;
      AccessURI partitionURI = null;
      if (outputHObjs != null) {
        for (HivePrivilegeObject obj : outputHObjs) {
          switch (obj.getType()) {
            case DATABASE:
              db = new Database(obj.getObjectName());
              break;
            case TABLE_OR_VIEW:
              db = new Database(obj.getDbname());
              tab = new Table(obj.getObjectName());
              break;
            case PARTITION:
              db = new Database(obj.getDbname());
              tab = new Table(obj.getObjectName());
            case LOCAL_URI:
            case DFS_URI:
          }
        }
      }
      String permsRequired = "";
      SentryOnFailureHookContext hookCtx =
          new SentryOnFailureHookContextImpl(
              context.getCommandString(),
              null,
              null,
              hiveOp,
              db,
              tab,
              udfURI,
              partitionURI,
              authenticator.getUserName(),
              context.getIpAddress(),
              e,
              authzConf);
      SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf);
      for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) {
        permsRequired += perm + ";";
      }
      SessionState.get().getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
      String msg =
          HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE
              + "\n Required privileges for this query: "
              + permsRequired;
      throw new HiveAccessControlException(msg, e);
    } catch (Exception e) {
      throw new HiveAuthzPluginException(e.getClass() + ": " + e.getMessage(), e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }

    if ("true"
        .equalsIgnoreCase(
            SessionState.get().getConf().get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) {
      throw new HiveAccessControlException(
          HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR
              + " Mock query compilation aborted. Set "
              + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION
              + " to 'false' for normal query processing");
    }
  }